2016-02-11

Sorry, but still unclear on crypto #IPBill

The report from the Joint Committee is not as good as it could be - many recommendations to get issues clarified but still basically agreeing with what the bill is trying to do, even the data retention.

One key comment is :-

Government still needs to make explicit on the face of the Bill that CSPs offering
end-to-end encrypted communication or other un-decryptable communication
services will not be expected to provide decrypted copies of those communications
if it is not practicable for them to do so.

That sounds good, and I would agree, but sadly it still does not go far enough. It is still unclear if an order to maintain a capability could require CSPs to engineer things so that they are not offering end-to-end encryption or so that it is somehow practicable for them to decrypt it.

CSPs still do not know. The bill needs to be clear that offering communications services, where the content cannot be accessed, is permitted. It also needs to make clear that continuing to offer such services, in that way, even with an intercept warrant, or a "maintenance of capabilities" order, is permitted.

As I say, criminals can send encrypted messages - we need this to be clear for everyone else. It is possible to do the end-to-end encryption yourself, so why should companies not be able to offer such services to customers freely and therefore help all of the non-criminals be safe on the internet as well as the criminals.

2 comments:

What disappoints me is they acknowledge that it's perfectly possible to evade these measures, that logging traffic is very hard in an age where Cloudflare protects half the Internet, where everything is going to HTTPS, TOR and VPNs are readily available...

How can it be justified to spy on people in this way when it's so easy for any criminal or terrorist to evade it? It's as nonsensical as an anti-crime policy that goes around asking "Sir, are you a criminal?" as a means of prevention.

I mentioned in my submission that anyone can encrypt anything themselves, such that even services directly dealing with the person have no idea about the contents. As you say, anyone can run anything through an algorithm like PKC or a OTP before sending a text, email, WhatsApp, uploading files.

Then there's steganography, where I don't even need to exchange texts with John the Terrorist. I can put up images, and send messages without anyone being any the wiser. With low payloads and original images, that's impossible to detect.

I will be evading this with ease if it does ever get implemented, but I shouldn't have to. Trouble is, any competent criminal/terrorist will as well...

You've been on Sky, you've been in the House, you're writing here. Each has their own particular audience characteristics.

Have you thought about (or have I missed) something on the fringes of the technical media? The Register seems quite keen on this kind of stuff at the moment, but currently without the depth you could bring to the picture. Maybe there are other better outlets too.

Everything I write here is just my honest opinion and not a statement by my employer, etc, you get the idea. If you find any words or pictures menacing or offensive, or likely to impair your computer, or alarming or distressing, stop reading now and don't come back (and don't forget to block me on social media too). Nothing here is legal advice. Everything on this blog is without prejudice, just in case. Comments are moderated so do not appear instantly. You take responsibility for any comments you post. Always bookmark www.me.uk as I may change the URL blogger sees.

And please, if you don't like what I post, say so - comment - discuss...